IAM: Making the Case for an Investment
How a CISO Can Help Business Leaders Understand the NeedWhen it comes to identity and access management, there is often a lack of understanding among business leaders. Here's a simulated conversation between "Chris" - a CISO, and "George" - a CXO, that shows how the security professional can steer the discussion for an explanation of why deploying IAM technology is important to the business.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Chris: Need to talk to you. It's about secure access, information risk and business value.
George: Please, not another argument for IAM! Make it quick. Executive-level only.
Chris: The challenge is that automated and efficient IAM is expensive. But so is non-compliance. There are very few effective low-cost alternatives.
George: I can't afford a mature process. I have to work with what I've got: manual processes, six people, and too many access request tickets. We're not making any of our service targets, and my budget request was denied.
Chris: It seems you've defined the problem.
George: Cute. The clock's ticking.
Chris: There is a curve of productivity that peaks in every service delivery process. Past a certain point, more people don't make the service more effective. Process automation is the only effective, adaptive and scalable alternative.
George: But my provisioning matrix is too complex; it's as if every request is unique - a dozen applications, at three different access levels from four different endpoints, and policy changes for vendors, partners and telecommuters. Argh!
Chris: You need a plan.
George: I've got a plan, what I need is a solution.
Chris: What you need are three things:
First, you need a formal plan that describes for business leadership, in little words they can understand, the three core elements of your problem - your current state, your success state and the service gap (don't call it a pain gap). Include your brief assessment as to why it's a business priority and a simple recommendation. They can't say yes if you don't ask.
George: I did ask.
Chris: Second, you need checklists: Logic-decision trees to take the decision-making out of the service approval loop. Get your information stakeholders to pre-approve classes of users, access levels and constraints so the IAM request is simple for the requestor and your team. Risk management and leadership will need to sign off, but you'd be surprised at how they hate complexity as much as you. Collaboratively, you'll simplify your matrix, checklists and re-set reasonable service delivery expectations.
George: Collaborate is a big word.
Chris: Third, you need self-service password reset capability. You'll drop 25 percent to 35 percent of your service desk and provisioning tickets. It's a technology available for most every access system. The return on investment should be less than one year.
George: Do you also write policies?
Chris: Yes. But, work with the policies you have in place. The important thing is to execute your plan. Focus your team on the parts that add lasting value - that leverage small changes into bigger outcomes. Break down the bigger processes into actionable pieces that one person or role can improve.
George: The fires we have to put out are monstrous.
Chris: "Hot Shots" are constantly out-sized by the fires they face. They follow very carefully tested processes that force-multiply into repeatable success. Their lives depend on it.
George: But I don't have controls for every type of remote access request.
Chris: Offer no service that you don't first have a policy and a security control to support. Business line management and leadership may not like that answer, but risk management will stand with you because leadership must sign off on owning all assumed risk.
George: Leadership has already said "no" to IAM.
Chris: Did you make it clear to them the cost of "no?" Is their decision based on competing programs? Because IAM is not a technology project; it's a business-essential process, supported by technologies. Without people gaining access to information resources - what they need, when they need it - the effectiveness of all other programs is compromised.
George: I'll quote you. Thanks.
Paidhrin is the security administration manager in the information security technology division of PeaceHealth, a healthcare delivery system in the Pacific Northwest where he has worked for 12 years. Earlier, he worked in higher education, as well as in private sector and entrepreneurial ventures, where he held a number of director-level positions.